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The Director of Central Intelligence 
Washington, D.C. 20505 


DCI/RM 80-18 
2 June 1980 


Resource Management Staff 


25X1 MEMORANDUM FOR: [._______] 


Special Assistant to the DCI 
for Compartmentation 


25X1 VIA: Pie eee S| 

trector, Information Resources Office 
25X1 FROM: ee 

ntormation Resources Office 


SUBJECT: Comments on Requests for Excess 4C Funds 


REFERENCES: A. Discussion of Requests for Excess 4C 
Funds, SA/DCI/C, dtd 23 May 1980 
B. DCI Funds for the APEX Implementation, 
D/DODIIS Engineering, dtd 18 March 1980 


1. The analysis and prioritization presented in Reference A is 
reasonable and appropriate at this time. Because of the heterogeneous 
nature of the DIA organizations and computer systems they represent, I 
agree that funds remaining after possible travel and indoctrination aid 
expenses should be considered for allocation to a DIA study effort. I do 
not agree with the nature of the study as proposed in Reference B. It is 
my impression that the DIA proposed study addresses a problem which may or 
may not exist several years from now. It would seem more appropriate for 
DIA to address near term (FY 81-FY 83) ADP-T modifications required to 
adjust to potential changes in electrical message formats resulting from 
APEX implementation. 


2. Before discussing the DIA proposal in detail, some general 
observations are appropriate. With respect to APEX and ADP-T, I would 
Submit, there are three basic variables--number of APEX billets, DCID 
1/16, and resources (assuming the level of ADP support is at least 
constant). That is, changes in any one of these three factors should 
affect the other two. If the number of billets are arbitrarily 
reduced either DCID 1/16 must be changed or money spent to implement 
compartmented mode processing or partially redundant additional ADP 
Support. It appears that the DIA proposal assumes that billets of ADP 
users will be reduced and that DCID 1/16 will not be modified to adjust 
the APEX environment. 
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3. With respect to billets, I feel there cannot and will not be a 
great reduction of accesses granted to current ADP users. The fact that 
al] COMINT product remains in APEX and that there will be no data base 
retrofit supports this argument. After the decompartmentation of IMAGERY 
and ELINT, ADP users requiring only access to collateral current data will 
have to have APEX clearance to access old TK data for several years. In 
addition, I would submit, that the majority of the computer systems listed 
in Reference B are presently operating in an SCI system high mode* (SI/TK, ‘ 
TK, or SI). I suggest this assumption be verified by tasking DIA to 
supply the following information for each computer Tisted in Reference B: 


Indicate Mode** ~ Dedicated, System High, Compartmented 
or mix time periods 


Indicate Security - Unclassified, Collateral, SI/TK, SI, 
Certification Tk,| _] etc. 


Indicate Connection - IDHSCI, IDHSCII, COINS, AUTODIN, etc. 
to Networks — : 


. 4. It may be appropriate to modify DCID 1/16 to adjust to an APEX 
environment. Since an objective of APEX is to clarify the distinction 
between Operational compartments and Product compartments, it might be 
appropriate to address this in the context of DCID 1/16. That is, 
should. the rules be more rigorous for separating Operational compartments® 


‘data from each other and Product, than the separation of Product access? 


Specifically, DCID 1/16 defines compartmented mode as a "system processing 
two or more types of SCI, or any one type of SCI with other than SCI." 
Mixing both SCI and non SCI users on the same system may not be feasible 
and would be expensive. But, as noted in paragraph 3, this may not be as 
significant a problem as Reference B indicates. It seems to me a basic” 
issue for DIA and the Community is the interpretation (or modification) of 
DCID 1/16 with respect to Product compartments. That is, for example, if 
a computer system contains both IMAGERY and COMINT APEX product, everyone 
using the computer must have approved access to those compartments (System 
High Mode) whether they need it or not. Operating in a compartmented mode 
implies that some users require only COMINT or IMAGERY and under current 
DCID 1/16 the computer system must have extensive physical security 
capabilities. These capabilities are certainly warranted if one wishes to 


*DCID I716 (6 June 78), Computer Security Regulation, Sec. II.2.b, p. 4. 
**IBID, Sec. II.2.a, 11.2.b, II.2.c. 
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mix SCI with non SCI users or, possibly, mixing operational and product 
data, but the if the DCID 1/16 physical security rules were relaxed 
somewhat a reduction in access billets might be achievable at a minimum 
cost. Given the above example, everyone using the computer would be 
cleared for APEX, some with COMINT/IMAGERY access, and some with COMINT 
only or IMAGERY only access. The computer system and data bases need only 
to restrict access’ to data enforcing the need-to-know principle but not 

7 meeting all of the security requirements of DCID 1/16. In other words, we 
should have less concern about an accidental data spillage between Product 
compartments than between APEX Products, APEX Operational, and non SCI 
computer users. 


| 
5. When APEX is implemented what cannot be done, will not be done. 
No one should be turned away from their ADP support because of APEX. In 
the short run, it may be necessary to grant APEX clearance just so someone 
gets his present ADP support. Until we know more about what will be in or 
out of the TECHNICAL and IMAGERY compartments and experience this new 
environment, we should not aggressively pursue compartmented mode ADP 
‘operations. These proposals should be addressed in conjunction with 
resources and billet reductions. In the meantime, DCID 1/16 should be re- 
examined with respect to APEX. For the near term, DIA should be concerned 
with their existing ADP-T systems and changes required to generate, - 
receive, and process changes in message formats. The scope and nature of 
this problem should. be investigated to ensure that the DODIIS transition | 
to APEX is orderly and can be executed within three to five years. 
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